Accessing the built-in observability tools of Kyma runtime
Included with Kyma is the tool Grafana which provides a centralized view of the logs and a number of dashboards to view various metrics of workloads running in the Kyma runtime. For more information you can find a nice overview of Grafana by Gaurav Abbi.
The latest release of Kyma now utilizes SAP Identity Authentication Service IAS for authentication and Kubernetes Role Based Access Control (RBAC) to manage authorizations within the runtime. Kubernetes provides a number of resources, such as deployments, config maps, etc, that users interact with via the Kubernetes API. The API itself can also be extended to provide additional functionality, this is how Kyma API Rules are provided. RBAC provides a mechanism to control the access of the resources of the Kubernetes API by providing verbs, read, create delete, that control user access to these resources.
Unfortunately Grafana is not part of or an extension of the Kuberenetes API, so it does not support the RBAC methodology. For this reason Grafana by default is not exposed externally, but there are a few options to do so. Most effortlessly, after setting up kubectl, you can use the port-forward feature of kubectl to access Grafana locally. You also have the option to configure your own custom SAP IAS tenant to manage the access using the provided Oauth2 Proxy. You can find the configuration steps for both of these methods within the help documentation. The Oauth2 Proxy also supports a number of other providers, such as Github, which can be used to manage access. The next sections will walk through this procedure.
Start by creating a new OAuth Application and providing the values. You can find the cluster domain URL of your Kyma runtime on the main dashboard, listed under API Server Address, replace api with Grafana.
Application Name: Grafana
Homepage URL: https://grafana.<your cluster domain>.kyma.ondemand.com
Authorization callback URL: https://grafana.<your cluster domain>.kyma.ondemand.com/oauth2/callback
- Choose Register application
On the next screen choose the option to generate a new client secret
Copy both the Client ID and the Client secret. These values will be used in the next steps.
Configuration of the Oauth2 Proxy
The configuration of the Oauth2 proxy is accomplished by creating a Kubernetes secret which is read by the proxy once it is restarted. There are a number of different configuration parameters of the provider to adjust how it works. Please note that a parameter listed as –github-user will be assigned within the secret as OAUTH2_PROXY_GITHUB_USER. Using the script below, replace the client Id and secret from the github application and your github email address. Multiple email addresses can be added by comma separating them. The secret could also be created within the dashboard, by choosing the namespace kyma-system and choosing the menu option Configuration -> Secrets and using the option to Create Secret.
kubectl -n kyma-system create secret generic monitoring-auth-proxy-grafana-user \ --from-literal="OAUTH2_PROXY_CLIENT_ID=<your client id>" \ --from-literal="OAUTH2_PROXY_CLIENT_SECRET=<your client secret>" \ --from-literal="OAUTH2_PROXY_PROVIDER=github" \ --from-literal="OAUTH2_PROXY_GITHUB_USER=<your email address>" \ --from-literal="OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true"
After the secret has been applied restart the Oauth2 proxy pod by running
kubectl -n kyma-system rollout restart deployment monitoring-auth-proxy-grafana
After the pod has restarted choosing the link to Grafana within the Kyma dashboard under the Observability menu option, should now prompt you requesting authorization. After choosing Authorize you should now be redirected to Grafana.
Thanks for your blog. It helps me a lot. I got a question, how can I prevent all github user to access my Grafana dashboard on BTP kyma runtime?
I thought "OAUTH2_PROXY_GITHUB_USER" as a white list who got the permission to access the Grafana. However, I forward the Grafana address to my colleague who is not in OAUTH2_PROXY_GITHUB_USER. Then he can directly access the Grafana dashboard with his github account.
Did you try assigning the value OAUTH2_PROXY_GITHUB_USER
There's also values for the org, team and repo that could be used which is shown in the linked provider documentation.
Thanks for your blog. It helps me a lot. I got a question, How would I authenticate in grafana using BTP itself. In this guide https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/3e4299cfd0884c428e6b4774225638e8.html a prerequisite is IAS. But I don't have IAS and it's not possible to configure it. Is it possible to configure it in another way but using SAP technologies, apart from IAS?
For BTP using IAS would be ideal. It's possible that you could create an XSUAA instance and use it, but when I tried I could not figure out how to get it to be restrictive.
With xsuaa seems to be more interesting, could you share how you did it? Have you tried using BTP roles to restrict access?
Create an instance specifying the oauth2-configuration.redirect-uris to your grafana url and then configure grafana with the values of the instance.
It worked, now just find out 02 things:
01 - why I don't have authorization to favorite the dashboards.
02 - why SAP didn't make this setting by default.
Thank you very much for now